rik/nanopb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix crash in pb_release() if called twice on same message.

Browse Source 
There was a double-free bug in pb_release() because it didn't set size fields
to zero after deallocation. Most commonly this happens if pb_decode() fails,
internally calls pb_release() and then application code also calls pb_release().
This commit is contained in:
Petteri Aimonen
2014-09-06 18:21:58 +03:00
parent 0dce9ef635
commit 13a07e35b6
1 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
pb_decode.c
View File

@@ -895,16 +895,20 @@ void pb_release(const pb_field_t fields[], void *dest_struct)
pb_free(*pItem); pb_free(*pItem);
*pItem++ = NULL; *pItem++ = NULL;
} }
*(pb_size_t*)iter.pSize = 0;
} }
else if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE) else if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE)
{ {
/* Release fields in submessages */ /* Release fields in submessages */
void *pItem = *(void**)iter.pData; void *pItem = *(void**)iter.pData;
pb_size_t count = (pItem ? 1 : 0); if (pItem)
{
pb_size_t count = 1;
if (PB_HTYPE(type) == PB_HTYPE_REPEATED) if (PB_HTYPE(type) == PB_HTYPE_REPEATED)
{ {
count = *(pb_size_t*)iter.pSize; count = *(pb_size_t*)iter.pSize;
*(pb_size_t*)iter.pSize = 0;
} }
while (count--) while (count--)
@@ -913,6 +917,7 @@ void pb_release(const pb_field_t fields[], void *dest_struct)
pItem = (uint8_t*)pItem + iter.pos->data_size; pItem = (uint8_t*)pItem + iter.pos->data_size;
} }
} }
}
/* Release main item */ /* Release main item */
pb_free(*(void**)iter.pData); pb_free(*(void**)iter.pData);